Skip to main content

GuidedPass: Helping Users to Create Strong and Memorable Passwords

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11050)

Abstract

Password meters and policies are currently the only tools helping users to create stronger passwords. However, such tools often do not provide consistent or useful feedback to users, and their suggestions may decrease memorability of resulting passwords. Passwords that are difficult to remember promote bad practices, such as writing them down or password reuse, thus stronger passwords do not necessarily improve authentication security. In this work, we propose GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength. Our suggestions are based on structural and semantic patterns mined from successfully recalled and strong passwords in several IRB-approved user studies [30]. We compare our approach to password creation with creation under NIST [12] policy, Ur et al. [26] guidance, and zxcvbn password-meter. We show that GuidedPass outperforms competing approaches both in password strength and in recall performance.

Keywords

  • Password
  • Usable security
  • Password meter
  • Authentication

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-00470-5_12
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-00470-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

References

  1. Frequently occurring surnames from the census 2000. http://www.census.gov/topics/population/genealogy/data/2000_surnames.html. Accessed 14 Oct 2015

  2. Ansaldo, A.I., Marcotte, K., Scherer, L., Raboyeau, G.: Language therapy and bilingual aphasia: clinical implications of psycholinguistic and neuroimaging research. J. Neurolinguistics 21(6), 539–557 (2008)

    CrossRef  Google Scholar 

  3. Blum, M., Vempala, S.S.: Publishable humanly usable secure password creation schemas. In: Third AAAI Conference on Human Computation and Crowdsourcing (2015)

    Google Scholar 

  4. Bonneau, J., Schechter, S.E.: Towards reliable storage of 56-bit secrets in human memory. In: USENIX Security Symposium, pp. 607–623 (2014)

    Google Scholar 

  5. Burnett, M.: Today i am releasing ten million passwords (2015). https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495

  6. de Carnavalet, X.D.C., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS, vol. 14, pp. 23–26 (2014)

    Google Scholar 

  7. Crawford, S.D., Couper, M.P., Lamias, M.J.: Web surveys: perceptions of burden. Soc. Sci. Comput. Rev. 19(2), 146–162 (2001)

    CrossRef  Google Scholar 

  8. Dell’Amico, M., Filippone, M.: Monte Carlo strength evaluation: fast and reliable password checking. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 158–169. ACM (2015)

    Google Scholar 

  9. Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2379–2388. ACM (2013)

    Google Scholar 

  10. Florêncio, D., Herley, C.: Where do security policies come from? In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 10. ACM (2010)

    Google Scholar 

  11. Florêncio, D., Herley, C., Van Oorschot, P.C.: Pushing on string: the ‘don’t care’ region of password strength. Commun. ACM 59(11), 66–74 (2016)

    CrossRef  Google Scholar 

  12. Grassi, P.A., et al.: DRAFT NIST special publication 800-63B digital identity guidelines (2017)

    Google Scholar 

  13. NEA Guidelines: NIST special publication 800-63B version 1.0. 2 (2006)

    Google Scholar 

  14. Habib, H., et al.: Password creation in the presence of blacklists (2017)

    Google Scholar 

  15. Hanesamgar, A., Woo, K.C., Mirkovic, J.: Leveraging semantic transformation to investigate password habits and their causes. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2018)

    Google Scholar 

  16. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)

    Google Scholar 

  17. Ji, S., Yang, S., Wang, T., Liu, C., Lee, W.H., Beyah, R.: PARS: a uniform and open-source password analysis and research system. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 321–330. ACM (2015)

    Google Scholar 

  18. Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537. IEEE (2012)

    Google Scholar 

  19. Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security, pp. 591–606 (2014)

    Google Scholar 

  20. Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)

    Google Scholar 

  21. Shay, R., et al.: Can long passwords be secure and usable? In: Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems, pp. 2927–2936. ACM (2014)

    Google Scholar 

  22. Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(4), 13 (2016)

    CrossRef  Google Scholar 

  23. Shay, R., et al.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 2. ACM (2010)

    Google Scholar 

  24. Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the winter International Symposium on Information and Communication Technologies, pp. 1–6. Trinity College Dublin (2004)

    Google Scholar 

  25. UCREL CLAWS7 Tagset (2016). http://ucrel.lancs.ac.uk/claws7tags.html

  26. Ur, B., et al.: Design and evaluation of a data-driven password meter. In: CHI 2017: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017

    Google Scholar 

  27. Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: USENIX Security Symposium, pp. 65–80 (2012)

    Google Scholar 

  28. Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Network and Distributed System Security Symposium (NDSS 2014) (2014)

    Google Scholar 

  29. Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: Proceedings of the USENIX Security (2016)

    Google Scholar 

  30. Woo, S., Kaiser, E., Artstein, R., Mirkovic, J.: Life-experience passwords (LEPs). In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 113–126. ACM (2016)

    Google Scholar 

Download references

Acknowledgement

We thank our shepherd Tudor Dumitras and anonymous reviewers for their helpful feedback on drafts of this paper. This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ICT Consilience Creative program (IITP-2017- R0346-16-1007) supervised by the IITP(Institute for Information & communications Technology Promotion), and by NRF of Korea by the MSIT(NRF-2017R1C1B5076474).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Simon S. Woo .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Woo, S.S., Mirkovic, J. (2018). GuidedPass: Helping Users to Create Strong and Memorable Passwords. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)